Related Content

Yahoo didn't reveal the breach until September last year. Just three months later, the Sunnyvale-based company admitted a separate hack in 2013 that affected one billion accounts, including some that were also infiltrated in 2014. Earlier this month, Yahoo announced its third breach of 32 million accounts that were accessed from 2015 to 2016.

"Corporations in general do not do enough to secure their data and mitigate breaches," cybersecurity expert and CEO of Route1 Tony Busseri told us Thursday. "This is largely because they have no motivation to do so, as they are quite simply not held accountable for security shortcomings. In contrast, the U.S. federal government has done a better job of implementing stringent cybersecurity requirements for its own civilian and defense agencies, but similar protocols have not been applied for corporate America."

Route1 is a US and Canada-based cybersecurity firm that protects user authentication and data for government agencies and businesses.

"Not enough has been done at the federal level to hold corporations accountable for their security failings," Busseri added. "I suggest that government and corporate entities work together to enact a security sea change, and deploy their collectively massive resources and influence. If enterprises are not held accountable for their security lapses, this change will never occur."

According to US officials, the Yahoo hackers took their time - delving deeper into the company's network over a period of months or years. This allowed them to create "skeleton keys" to "unlock" accounts and other email services.

"Employees often use their personal devices in a manner that risks data loss or leakage for the enterprise – in most cases inadvertently," Busseri explained. "Companies must therefore invest in technology solutions that allow their workforce to utilize their devices while eliminating the human risk factor."

Corporate data should never be stored on mobile devices, even if it's encrypted, Busseri advised. "Malicious parties can gain access to that sensitive information should the device fall into their hands. In other words, sensitive data stored on a personal device is vulnerable to theft."

Busseri is a strong advocate of two-factor authentication, which "validates user access through a combination of something they know, such as a password, and something they have, such as an enterprise-issued smart-card."

"Passwords alone do not adequately restrict access to sensitive data by unauthorized parties," the CEO explained. "We have witnessed this through countless instances of stolen mobile device passwords being cracked by hackers, often resulting in massive data breaches."